Quantifying HTTPS Performance Overhead: CPU, Bandwidth & Latency Benchmarks for Developers


2 views

Modern TLS 1.3 implementations typically add:

  • 2-5% additional CPU load per connection
  • 300-500ms initial handshake latency (TLS 1.3 reduces this to 1-RTT)
  • ~1KB additional header overhead per request

Apache Benchmark results for 10,000 requests (AWS c5.large):

# HTTP
Requests per second:    4523.70 [#/sec]
Transfer rate:          421.58 [Kbytes/sec]

# HTTPS (TLS 1.3 with ECDHE)
Requests per second:    4289.21 [#/sec] (5.18% slower)
Transfer rate:          399.12 [Kbytes/sec] (5.32% less)

Session Resumption: Saves 1-RTT on subsequent connections

# Nginx configuration
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

OCSP Stapling: Eliminates CA validation latency

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8;

Modern processors include AES-NI instructions. Cloud providers offer SSL termination at load balancers:

# AWS ALB configuration
Listener:
  Protocol: HTTPS
  SSL Policy: ELBSecurityPolicy-TLS13-1-2-2021-06

Prioritize these cipher suites for optimal performance:

ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';

Use these to measure actual impact:

  • openssl s_time -connect example.com:443
  • Chrome DevTools Security panel
  • Wireshark TLS filter

When implementing HTTPS, we typically observe three main performance impacts:

  • CPU Overhead: AES encryption/decryption adds 5-15% CPU load per connection
  • Bandwidth Expansion: TLS headers add ~500-2000 bytes per connection
  • Latency Penalty: TLS handshake adds 2-3 RTTs (100-300ms typically)

Here's Node.js code to measure TLS handshake overhead:

const https = require('https');
const start = process.hrtime();

https.get('https://example.com', (res) => {
  const diff = process.hrtime(start);
  console.log(TLS handshake took ${diff[0] * 1000 + diff[1] / 1e6}ms);
});

Typical results show:

  • First connection: 250-400ms (full handshake)
  • Subsequent connections: 50-100ms (resumed session)

1. Session Resumption

Configure your web server for session tickets:

# Nginx configuration
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;

2. TLS 1.3 Adoption

The latest protocol reduces handshake to 1 RTT (0-RTT possible):

# OpenSSL configuration
Protocols TLSv1.3;
SSLProtocol TLSv1.3;

Modern CPUs include AES-NI instructions that provide:

  • 10x faster AES encryption
  • 3-5x faster RSA operations

Verify support with:

grep -m 1 -o aes /proc/cpuinfo

Cloud providers offer TLS termination at edge nodes:

// AWS CloudFront example showing TLS 1.3 enforcement
"ViewerProtocolPolicy": "redirect-to-https",
"MinimumProtocolVersion": "TLSv1.3_2021"

Let's Encrypt has eliminated certificate costs, but OCSP stapling remains crucial:

# Apache configuration
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"